Analysis
-
max time kernel
41s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-08-2022 15:56
Behavioral task
behavioral1
Sample
0ZyLuMsm.ps1
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0ZyLuMsm.ps1
Resource
win10v2004-20220812-en
General
-
Target
0ZyLuMsm.ps1
-
Size
3KB
-
MD5
236285a8cc63669302f69d8087edb66e
-
SHA1
8581592c092100505a15f701697584809cf33ccf
-
SHA256
454add1bfdc98b944ed97984f1771ec09c9a4c869e3fb6936573d0db8a83ac30
-
SHA512
c36bb0f60610531b4d6704baeb193fce0ad97f4915e02a2a17daa54a12ffd4777c5ac2240fe00ede18b82da92afa263ae364e0dfbae9abbb0152ed33cfc7e088
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 1 1912 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1912 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1912 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
powershell.execsc.exedescription pid process target process PID 1912 wrote to memory of 1224 1912 powershell.exe csc.exe PID 1912 wrote to memory of 1224 1912 powershell.exe csc.exe PID 1912 wrote to memory of 1224 1912 powershell.exe csc.exe PID 1224 wrote to memory of 860 1224 csc.exe cvtres.exe PID 1224 wrote to memory of 860 1224 csc.exe cvtres.exe PID 1224 wrote to memory of 860 1224 csc.exe cvtres.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\0ZyLuMsm.ps11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5kkgvdpx.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES263.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC252.tmp"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5kkgvdpx.dllFilesize
3KB
MD5f2c5b1c0c530a12b827673cd6dcef054
SHA1f3cf5b781a8590ed2503f28bdee9eeae9bd5ced6
SHA2568bfb332a593d7365e3d853033cbde42c39bb4ed7da8633fbd4d73c2b6c485075
SHA5122a6c53f2a0ddf649de8b2d8f4cfc6340a9eb48851c2f3522feeb497911e2f3583c24dbae1957b7d89025afd8be680fb7e176ca950be1f65993d84a7e82f8ad83
-
C:\Users\Admin\AppData\Local\Temp\5kkgvdpx.pdbFilesize
7KB
MD5331ea8459dd39c07badeb06aef3e75f6
SHA17f28aa0e9b8eec2f45553bc128854cbfa0911219
SHA256c7612c608fb246534b783a262cd71305614e1440fb1e0d2283e3f6f3a9dde9aa
SHA5129fd282cd3710cf8dbbf5f7f6bd6eabd4f92047b308ead0e1b847bf73f33fe376121b9d6060235dbdd32ef83eed3fc9c60ef042184399179dd42f44c870c280d0
-
C:\Users\Admin\AppData\Local\Temp\RES263.tmpFilesize
1KB
MD5c0bbd9e56c4636131db22666805d4e31
SHA19be1be6af2fb24fdbf872b344e7a57bbf75f1071
SHA25615240090f80cdb583f024bd7c7863ce06c04f3539bd45c72b19070fd0da7d087
SHA51215ee027527bd76c6ebfb74d003745b82ac8d861455bac9cb63674a6af32827f998624930670b4552a6ab942bc288d9d7b98b4435d3b44d01c8f5aa47f3a34533
-
\??\c:\Users\Admin\AppData\Local\Temp\5kkgvdpx.0.csFilesize
468B
MD552cc39367c8ed123b15e831e52cbd25f
SHA1497593af41731aedd939d2234d8d117c57a6d726
SHA2565a67bcd5871f71a78abf1da47c3529617f34b47a5ab7bde0f1133a33fa751012
SHA512ce6b89a38b94543b6461b5ecc01054c518a6e0daa4962e249a694db198b15602e716098868322eb8275a09d936b4ef3c0242089800bac0ab1926c8bb38d78fcc
-
\??\c:\Users\Admin\AppData\Local\Temp\5kkgvdpx.cmdlineFilesize
309B
MD510156d1289fd06bfd072c7d3141949f7
SHA11ec5c30b8c990e6461b409455cef8ebe33ec178d
SHA256e8293a44d82a73c735ce3c253480e2751cf41da86ea0edfee389bf6d5ae2490e
SHA512bec35bfdcea6e0b66640fcc50d61a95f48fa49feda6c8b0011afc72b2882f5867fcca4aac3fd59a420b70b92f94475321a97beb75cd46e96bff9959f5fe8c73b
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC252.tmpFilesize
652B
MD531505d2f5ac900936456681c845ca5fa
SHA11af9e97ee9200ebf226a7d4999da54b36d746e3b
SHA2565fdbf8b4a0b2b090ee9b3a734f9de266da786ce8f43a281e96db8672258fb2ae
SHA5121c1dd295912f3786d6b3045e1039faa268631a2ef6bfeced751c3a740c082f781dc04336ba2274c2276f5c16ab9800b68fdde2204c22798aba408e2608227241
-
memory/860-61-0x0000000000000000-mapping.dmp
-
memory/1224-58-0x0000000000000000-mapping.dmp
-
memory/1912-54-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmpFilesize
8KB
-
memory/1912-57-0x0000000002714000-0x0000000002717000-memory.dmpFilesize
12KB
-
memory/1912-56-0x000007FEF3330000-0x000007FEF3E8D000-memory.dmpFilesize
11.4MB
-
memory/1912-55-0x000007FEF3E90000-0x000007FEF48B3000-memory.dmpFilesize
10.1MB
-
memory/1912-67-0x000000000271B000-0x000000000273A000-memory.dmpFilesize
124KB
-
memory/1912-66-0x0000000002714000-0x0000000002717000-memory.dmpFilesize
12KB